Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

i want to convert my sample data to time stamp.

changwoo
Communicator
‎01-07-2014 11:01 PM

i have a raw data like 123::1312:3232::429384 and trying to included to my splunk ( to add data )

the last data 429384 is my second and i want this value to be my time stamp ..

what can i do ? :-<

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-07-2014 11:19 PM

Hi changwoo,

you can find all information about timestamp recognition in the docs.

Take a closer look at Configure timestamps for specific needs

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-07-2014 11:19 PM

Hi changwoo,

you can find all information about timestamp recognition in the docs.

Take a closer look at Configure timestamps for specific needs

cheers, MuS

Reply
Solved! Jump to solution

changwoo
Communicator
‎01-08-2014 12:54 AM

thanks.... i think i got it!!!!

thanks for MuS and kristian.kolb

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎01-08-2014 12:40 AM

You say;

"the last data 429384 is my second..."

So, the second since WHEN? Internally Splunk converts timestamps (one per event) into epoch which is the number of seconds since midnight Jan 1 1970. Currently, such values are 1389169530 or above. As you can see, your values of 400K is little over a week, say Jan 8 1970. Perhaps your timestamp is counting since the start of 2014, or your system still thinks it's 1970.

If you ALSO think it's 1970, you can set TIME_FORMAT = %s
in props.conf. 🙂

Otherwise you'll have to reconfigure your system/application to create better timestamps.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-08-2014 12:29 AM

extract the seconds as new field, if not done already. Use this new field in an eval to replace _time.

your search | rex "(?\d+)$" | eval _time=MyTime

this will replace _time with the value of the seconds from your raw data. the regex is based on the provided data, this means the format does not change nor will there be any other events.

Reply
Solved! Jump to solution

changwoo
Communicator
‎01-08-2014 12:08 AM

um... i can't even search the datas..
My seconds raw data is not getting into the timestamp
my raw data time stamp is showing the current time...

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-08-2014 12:02 AM

okay, use eval with function tostring()
tostring(X,"duration") converts seconds X to readable time format HH:MM:SS.
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions

does that make sense?

0 Karma
Reply
Solved! Jump to solution

changwoo
Communicator
‎01-07-2014 11:52 PM

i am looking for converting my raw second data to timestamp...

NOT converting the format of the timestamp ..

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...